Layer 2 Security on Cisco Catalyst Platforms - Page 3

ciscomoderator · ‎10-16-2013

With Wilson Bonilla

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about about issues in designing, planning, and implementing Layer 2 security in your LAN network with expert Wilson Bonilla.

Wilson will cover topics that network engineers face daily such as Spanning Tree Protocol security, private VLANs, IP source guard, protected ports, dynamic ARP inspection, virtual LAN access-control lists (VLAN ACLs), and Dynamic Host Configuration Protocol (DHCP) snooping over Cisco Catalyst platforms. With the fast growth of networks, Layer 2 security is even more critical in the LAN to help your network become more reliable, efficient, and secure. Wilson will answer your questions about LAN networks with Cisco Catalyst switches.

Wilson Bonilla is a technical networking trainer at the Learning and Development Department for Cisco Technical Assistance Center located in Costa Rica. Before joining the Training Department, he worked for the Cisco TAC as a customer support engineer focused on LAN Switching for more than two years. While working on LAN switching, Wilson also had roles such as technical leader and trainer, adding to his area of expertise in Cisco Catalyst Layer 2 switching. He has CCNP routing and switching certification and is currently studying to achieve his CCNA certification in data center.

Remember to use the rating system to let Wilson know if you've received an adequate response.

Because of the volume expected during this event, Wilson might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, subcommunity, LAN, Switching and Routing, shortly after the event. This event lasts through November, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

Wilson Bonilla · ‎11-01-2013

Hello Alain.

Actually as stated in the 6500 configuration guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/port_acls.html

PACL are indeed applied to routed traffic as well. I apologize if somewhere above I mentioned routed traffic is not affected by PACLs.

Regards.

Wilson B.

ahalwani · ‎10-31-2013

Dear Wilsion,

Thank you for your response, it was very helpful and thank you Alain for the inbound addition

As you explained, the IP Source Guard solution will not be complete without the DHCP snooping.

However, I forgot to mention that clients are assigned static IPs and since their mac address change a lot wouldn't you agree that PACL in this case require less administrative intervention and may be a better solution?

Thanks,

-Ahmad

cadet alain · ‎10-31-2013

Hi,

You can use IP Source Guard with hosts having static IPs.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1281565

Regards

Alain

Don't forget to rate helpful posts.

Wilson Bonilla · ‎11-01-2013

Hello Ahmad.

That is a very special scenario, I don't overseen a scenario where the same user with static ip address change its mac address oftenly. Now, as Alain mentioned, you can also configure Ip Source guard with static ip address configuration, which might involve adminitrative burden to the process but with better results. Anyways there are always different configurations to achieve the same result. I would stick with the IP source guard. Feel free to email me if you have further questions.

Regards.

Wilson B.

Ask the Expert: Layer 2 Security on Cisco Catalyst Platforms